TMC's Advisor

The Advisor is published by TMC

Before the Security Scan Part 2

When you run vulnerability scans or pen tests, best practice is to first lay groundwork and “clean up your act,” data-wise. The scan can then be a report card as well as a road map. Previously, we addressed foundational issues: creating a Security Committee, identifying critical or sensitive information and identifying the risks. Now we discuss prioritizing risks and establishing mitigation plans, as well as adopting recommendations from a scan.

By Ellen Koskinen-Dodgson

Ellen Koskinen-Dodgson is President and Managing Partner of TMC IT and Telecom Consulting Inc. She is an IT and Telecommunications Management Consultant, electrical engineer, author, speaker, media resource and Expert Witness.

Risk Register

Once you have identified risks to critical or sensitive information, it’s time to develop an information risk register. Every organization’s risk register looks somewhat different, but at a minimum, we recommend:

Laptops, tablets and smart phones)

The risk register also contains the risk assessment which is calculated on a 9 or 25 point scale. It uses three columns of the register:

Finally, the register includes columns for tracking the progress of an action plan, if there is one. For example, loss of information through paper-only records could be mitigated through scanning the documents and filing them in an electronic records management system. The tracking columns of the risk register could include:


Vulnerability scanning vs. penetration (pen) testing—both are needed.

A vulnerability scan effectively runs through a checklist of known vulnerabilities (over 50,000) and reports how many of those problems exist on the system. Scans are run on a monthly (or more frequent) basis.

The scanner will rank vulnerabilities by level of risk. Sifting through reported vulnerabilities and making sure they are not false positives is part of the process. There are strategies to reduce the number of false positives.

Pen tests are real-time, manual tests by Ethical Hackers to test defenses and give more accurate and thorough results. Pen tests can range from a day to a week and can be expensive, depending on the extensiveness of the test. They can also affect operations by slowing processes, and interfering with staff productivity.

After the Scan

The recommended actions that affect critical and sensitive information are then logged onto your information risk register and tracked.

An important part of reducing your liability is demonstrating due diligence.

This article is reproduced from the September

This article was published in the September 2020 edition of The TMC Advisor
- ISSN 2369-663X Volume:7 Issue:6

©2020 TMC Consulting